A critical security threat is looming: Thousands of WatchGuard Firebox firewalls are vulnerable to attacks that could allow hackers to gain access without even needing a password. This is a serious issue that demands immediate attention.
On November 12, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a severe security flaw affecting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog. This designation means that the vulnerability is actively being exploited, making it a high-priority concern for organizations using WatchGuard firewalls.
The vulnerability, identified as CVE-2025-9242, has a high-severity score of 9.3 out of 10. It's an 'out-of-bounds write' vulnerability, which means attackers can potentially write data beyond the intended memory boundaries, leading to arbitrary code execution. This flaw impacts Fireware OS versions from 11.10.2 up to 11.12.4_Update1, 12.0 up to 12.11.3, and 2025.1. In simple terms, this vulnerability could allow remote, unauthenticated attackers to execute malicious code on the firewall.
Details of this vulnerability were initially disclosed by watchTowr Labs in October 2025. They found that the vulnerability stems from a missing length check during the IKE (Internet Key Exchange) handshake process. This allows attackers to potentially bypass security measures before authentication. Security researcher McCaulay Hudson noted that the vulnerable code is reachable even before authentication.
But here's where it gets controversial... While the exact methods of exploitation aren't fully known, the potential impact is significant. According to the Shadowserver Foundation, over 54,300 Firebox instances were still vulnerable as of November 12, 2025, even though this number has decreased from a high of 75,955 on October 19.
Geographically, the U.S. has the highest number of vulnerable devices, with approximately 18,500 instances. Other countries with significant numbers include Italy (5,400), the U.K. (4,000), Germany (3,600), and Canada (3,000).
Federal Civilian Executive Branch (FCEB) agencies have been advised to apply WatchGuard's patches by December 3, 2025. This highlights the urgency of the situation and the need for immediate action to protect critical infrastructure.
And this is the part most people miss... CISA also added two other vulnerabilities to the KEV catalog: CVE-2025-62215 (a flaw in Windows kernel) and CVE-2025-12480 (an improper access control vulnerability in Gladinet Triofox). The exploitation of CVE-2025-12480 has been attributed to a threat actor tracked as UNC6485 by Google's Mandiant Threat Defense team.
What are your thoughts? Do you think enough is being done to address these critical vulnerabilities? Are you concerned about the potential impact on organizations that haven't yet patched their systems? Share your opinions in the comments below!
